Google says its Wallet is still safer than your leather one

Google’s mobile commerce team spent the week doing damage control after the revelation of security flaws. Last week, it was widely reported that engineers at Zvelo, which provides web-categorization services, had found vulnerabilities in Google Wallet that allowed an app they had written to expose the PIN and tap prepaid funds in the wallet. Google’s initial response was to advise users not to run Google Wallet on rooted phones, and be sure to have the screenlock on. But further work, as reported by Zvelo engineer Joshua Rubin, suggests that the hack requires root access, but not necessarily a pre-rooted phone: “While it is true that this PIN vulnerability requires root privileges to succeed, it does not require that the device be rooted previously.” Rubin’s post and a nice summary by Neil J. Rubenking at PCMag give a good picture of the vulnerability.

Security flaws like this feel inevitable to those accustomed to the ups and downs of web start-ups and the public bugs that accompany any release-early, release-often philosophy. They are, however, more alarming to those who work with banks, merchants, and anyone else who has experience moving money around. Bank Technology News captured the split between the two attitudes and cited Aaron McPherson, a practice director with IDC Financial Insights saying the recent security problem demonstrates “an almost cavalier attitude by non-payments companies toward protecting consumer security.”

Google wasn’t cowed by the charges, responding with a calm coolness and an insistence that, despite any flaws in its payments system, it’s still better than what everyone else is doing:

“Mobile payments are going to become more common in the coming years and we will learn much more as we continue to develop Google Wallet. In the meantime, you can be confident that the digital wallet you carry provides defenses that plastic and leather simply don’t.”

X.commerce harnesses the technologies of eBay, PayPal and Magento to create the first end-to-end multi-channel commerce technology platform. Our vision is to enable merchants of every size, service providers and developers to thrive in a marketplace where in-store, online, mobile and social selling are all mission critical to business success. Learn more at x.com.

If, on the other hand, you’re at your local Starbucks, you’ll want to pay with one click by unlocking your Starbucks mobile payment option, generating a 2D barcode, and holding it up for the cashier to scan. But suppose you were feeling too groovy for Starbucks this morning and you stopped at your local independent coffee house? Then you might want to pay with a single click with Square’s Card Case, providing your indie coffee guy has signed up for that. At Home Depot, you’ll want to use PayPal, at Macy’s you can tap-and-pay with Google Wallet, and you might need to pay with American Express to get the Foursquare deal that your local eatery is offering.

Mobile payment is exhausting in its current, fragmented state, but it will be interesting to see which systems gain critical mass. Recent web history offers some clues. It was not too long ago that a half dozen search engines, including AltaVista, Yahoo and AskJeeves competed for your searches until one company offered a simpler way with more effective results. And five years ago there were a handful of social network sites competing for our profiles, including MySpace, Orkut, and Friendster, until Facebook rose on a platform of sharing photos, social games, and an easy interface. So which mobile-payments option will find the right combination of security, usability and adoption first?

Adele scorns freemium model

Freemium may be the up-and-coming dominant model in mobile apps — particularly in games — but not everyone is in love with the concept. Adele, who just took home six Grammy awards, declined Spotify’s request to stream her award-winning album “21” on its service. According to Austin Carr on Fast Company, the reason is that Spotify offers two tiers of service: a free ad-supported service and a premium one without ads. Adele was willing to let “21” stream to Spotify’s paying customers, but not to those riding for free. Spotify, which doesn’t offer different libraries for its two tiers, couldn’t accommodate the request. So while you could buy “21” on iTunes or hear it on Rhapsody (where everyone pays to stream), you can’t hear it on Spotify. But, as Carr points out, with a 20% conversion rate of free subscribers to paying ones, who can second-guess Spotify?

Got news?

News tips and suggestions are always welcome, so please send them along.

If you’re interested in learning more about the commerce space, check out DevZone on x.com, a collaboration between O’Reilly and X.commerce.

PayPal is offering retailers to be processing their credit and debit card transactions at a cost that is lower than interchange. What that means is that, if a merchant is paying less than the full interchange amount, PayPal would have to make up the balance. About 55% of PayPal’s transactions are funded from its users’ bank card accounts (and are therefore subject to interchange fees). So PayPal is proposing to not only forgo any profit on the card-funded transactions it will be processing, but to actually lose money on them. All of them! This is indeed an offer that no merchant can refuse and is as big a challenge to Visa and MasterCard as we are likely to see.